The premise of my Commode Computing presentation was to reinforce that we desperately require automation in all aspects of “security” and should work toward leveraging APIs in stacks and products to enable not only control but also audit and compliance across physical and virtualized solutions.

There are numerous efforts underway that underscore both this need and the industry’s response to such. Platform providers (virtualization and cloud) are leading this charge given that much of their stacks rely upon automation to function and the ecosystem of third party solutions which provide value are following suit, also.

Most of the work exists around ensuring that the latest virtualized versions of products/solutions are API-enabled while the CLI/GUI-focused configuration of older products rely in many cases still on legacy management consoles or intermediary automation and orchestration “middlemen” to automate.

Here’s a great example of how one might utilize (Perl) scripting and RESTful APIs against VMware’s vShield Edge solution to provision, orchestrate and even audit firewall policies using their API. It’s a fantastic write-up from Richard Park of SourceFire (h/t to Davi Ottenheimer for the pointer):

Here is an overview of how to use perl code to work with VMware’s vShield API.

vShield App and Edge are two security products offered by VMware. vShield Edge has a broad range of functionality such as firewall, VPN, load balancing, NAT, and DHCP. vShield App is a NIC-level firewall for virtual machines.

We’ll focus today on how to use the API to programatically make firewall rule changes. Here are some of the things you can do with the API:

In reference to your talk at Gluecon. I have a lot of SysOP and Network Admin associates who would love to automate their security and take advantage of APIs but they are scared of programming. They don’t consider themselves programmers even though they often use many scripts they find for various manual tasks, and are perfectly competent. Something do with silos of roles or something.

I think they need more examples like the Perl / VMWare solution above in a central location / book and they can put to use and get more used to automation.

I certainly like the push for API and automation in infrastructure and security, and it's undoubtedly the right thing to do and the right path to move forward. But I don't yet see many people asking questions about how all these devices will interoperate, how info will be passed between various layers of defense, and so on. The fact that info is accessible programmatically does NOT automagically lead to good interop.

Also, it's going to be interesting when people realize that their management scripts and systems that call APIs also need to be protected against attack, and so on and so forth.

Having API and being able to call it is just a first step, not the end goal. I want to see tools and systems that use API from various vendors to get me a higher level view + intelligence. That would be cool.

As a sidenote, been a long time since I came here – like the overall redesign, but the font in this window where I am typing this is horrible (Chrome on Mac).

Agreed, but we're not likely to have a consistent policy across heterogeneous security engines for along time UNLESS we abstract and use that abstraction as a lever (even if it's kludgy to start) in order to make progress here. To the point about securing APIs, that was the point of my blog a couple of days ago. Everything has a price (or a "tax" as it's known in these parts) BTW, I'll look into the font issue…it's the comment stylesheet of IntenseDebate I'm having an issue with. Thanks.

Great point. I don't think you need to be a "coder" to successfully automate, but to your comment of a central repository, I was talking to the guys from OpsCode about launching a community effort focused around recipes/cookbooks for Chef specifically for security components of well known products. I need to kick that discussion back up (/ht to Adrian Cole with whom I originally had this discussion two years ago at Glue)

Glad to be of service! VMware has committed to improving their vShield API over time to offer even more functionality, which is great news for security vendors such as ourselves who want to further leverage VMware integration.

For those who are interested in integration with vSphere in general (not just vShield), there is an open source API called VMware Infrastructure Java API available at http://vijava.sf.net. The API abstracts the vSphere Web Services SDK to make it easier to work with. You can use any language that leverages the JVM such as jRuby, Scala, jython, etc.

The API author Steve Jin has a site at http://www.doublecloud.org with lots of good coding examples. He's also written a book called "VMware VI and vSphere SDK: Managing the VMware Infrastructure and vSphere". I highly recommend it!